[IPhone Password Shockingly Easy To Steal From IOS Users
Elis Riebow
Apple and Google have made it so easy to load our entire lives onto our phones while also keeping all that information protected with advanced authentication methods. But there's a crucial weak link that can open up everything within if you're unlucky enough to be watched and that's the authentication method you use to unlock your phone. We don't want to fearmonger you into any unnecessary action, but with a rise of highly-coordinated iPhone thefts in the past couple of years, we do think it's a good idea that you upgrade from a numerical passcode to at least an alphanumeric password.
But swift moves like that aren't just for the sake of reselling your device on the open market: both Apple ID and Google accounts offer an account password reset method that only requires users to pass authentication on their device. In gaining access to those accounts, thieves can then access other personal information and use it to raid cloud storage, siphon from bank accounts and credit lines, and even defraud others with that stolen identity, all the while blocking the victim from being able to regain control because all the account information has been changed.
This is a trend that's difficult to quantify and while iPhone ownership can be part of the stereotype of a high-value target, we're likely not getting a full picture strictly from what Stern is reporting through her police contacts and those who have shared their stories.
Whatever the stats are on Android device thefts, you should know that the same essential exploit is also present on Android phones: as the esteemed Mishaal Rahman points out, thieves can gain control of victims' Google accounts holders by going through the password reset flow and authenticating with their device's passcode.
Beyond Rahman's instructions, malicious actors may be able to pass the second factor of authentication if it is required by choosing the "Tap Yes on your phone or tablet" method because the prompt would be sent to the device in hand and the Google app flow would be able to detect said prompt, passing the check.
It doesn't matter if you opt for facial recognition or a fingerprint scan because those methods can fall back to either a passcode, a password, or a pattern lock. So, our best advice to you at the moment is to upgrade your device passcode or pattern lock to an alphanumeric password.
We know it's not a pretty thought, especially because in addition to being one of those things you can't handle with a password manager or authentication app, this will be yet another primary password you'll need to remember with all the pitfalls that come with complexity and memory. It'd also be ironic and tragic if thieves could overcome the best password you can keep in your head that isn't 5aP9had^Q or something like that. At the very least, Apple and Google should not be accepting basic single-device authentication methods as checks on resetting account passwords.
Our sign-in and account-recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios and keeping the bad actors out. Physical possession of a phone and knowledge of the passcode are - in general - strong signals of device ownership that we use daily to thwart attacks on user accounts and to help legitimate users regain access themselves in common scenarios, like forgetting their account password.
Google Account Recovery flows also have reasonable time-limited protections against hijackers changing passwords or recovery factors set up by the legitimate users - provided users have set up a recovery phone and/or recovery email.
To mitigate issues from potential physical device and PIN theft, our recommendation for users remains to ensure they have enabled 2-Step Verification and set up a recovery phone and email before an event occurs. On the device, users can also select an alphanumeric password to increase the difficulty of access for criminals. We also recommend utilizing biometric authentication as much as possible to make it more difficult for criminals to gain knowledge of PINs.
Jules joined the Android Police team in 2019. He currently produces videos, creates art for our stories, and edits our podcast. Before that, he wrote features and news, managed our weekend content, and wrote AP's newsletter.
Jules also contributes to our sister site XDA-Developers and was previously at Pocket-lint and Pocketnow.
I don't know what it is, exactly, that drives so many developers to store session information in local storage, but whatever the reason: the practice needs to die out. Things are getting completely out of hand.
Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are opening themselves up to catastrophic security issues by doing so.
Let's start with the basics: local storage is a new feature of HTML5 that basically allows you (a web developer) to store any information you want in your user's browser using JavaScript. Simple, right?
In practice, local storage is just one big old JavaScript object that you can attach data to (or remove data from). Here's an example of some JavaScript code that stores some of my personal info in local storage, echoes it back to me, and then (optionally) removes it:
Now you might be wondering if there's some way to use local storage so that the data you store is automatically deleted at some point and you don't need to manually delete every single variable you put in there. Luckily, the HTML5 working group (shout out!) has your back. They added something called sessionStorage to HTML5 which works exactly the same as local storage except that all data it stores is automatically deleted when the user closes their browser tab.
Now that we're on the same page about what local storage is, let's talk about what makes it cool! Even though the whole point of this article is to dissuade you from using local storage to store session data, local storage still has some interesting properties.
For one thing: it's pure JavaScript! One of the annoying things about cookies (the only real alternative to local storage) is that they need to be created by a web server. Boo! Web servers are boring and complex and hard to work with.
If you're building a static site (like a single page app, for instance), using something like local storage means your web pages can run independently of any web server. They don't need any backend language or logic to store data in the browser: they can just do it as they please.
Another neat thing about local storage is that it doesn't have as many size constraints as cookies. Local storage provides at least 5MB of data storage across all major web browsers, which is a heck of a lot more than the 4KB (maximum size) that you can store in a cookie.
This makes local storage particularly useful if you want to cache some application data in the browser for later usage. Since 4KB (the cookie max size) isn't a lot, local storage is one of your only real alternative options.
It can only store string data. Boo. This makes it pretty useless for storing data that's even slightly more complex than a simple string. And sure, you could serialize everything including data types into local storage, but that's an ugly hack.
It can't be used by web workers =/ This means that if you want to build an application that takes advantage of background processing for performance, chrome extensions, things like that: you can't use local storage at all since it isn't available to the web workers.
Any JavaScript code on your page can access local storage: it has no data protection whatsoever. This is the big one for security reasons (as well as my number one pet peeve in recent years).
To keep it short, here's the only situation in which you should use local storage: when you need to store some publicly available information that is not at all sensitive, doesn't need to be used in a high-performance app, isn't larger than 5MB, and consists of purely string data.
Here's the deal: most of the bad things about local storage aren't all that important. You can still get away with using it but you'll just have a slightly slower app and minor developer annoyance. But security is different. The security model of local storage IS really important to know and understand since it will dramatically affect your website in ways you may not realize.
And the thing about local storage is that it is not secure! Not at all! Everyone who uses local storage to store sensitive information such as session data, user details, credit card info (even temporarily!) and anything else you wouldn't want publicly posted to Facebook is doing it wrong.
Local storage wasn't designed to be used as a secure storage mechanism in a browser. It was designed to be a simple string only key/value store that developers could use to build slightly more complex single page apps. That's it.
Think about it like this: when you store sensitive information in local storage, you're essentially using the most dangerous thing in the world to store your most sensitive information in the worst vault ever created: not the best idea.
If an attacker can run JavaScript on your website, they can retrieve all the data you've stored in local storage and send it off to their own domain. This means anything sensitive you've got in local storage (like a user's session data) can be compromised.
And that's a reasonable point. If your website is truly secure and no attacker can run JavaScript code on your website then you are technically safe, but in reality that is incredibly hard to achieve. Let me explain.
If an attacker can get a copy of your JWT, they can make requests to the website on your behalf and you will never know. Treat your JWTs like you would a credit card number or password: don't ever store them in local storage.
There are thousands of tutorials, YouTube videos, and even programming classes at universities and coding boot camps incorrectly teaching new developers to store JWTs in local storage as an authentication mechanism. THIS INFORMATION IS WRONG. If you see someone telling you to do this, run away!
795a8134c1